From owner-freebsd-questions@FreeBSD.ORG Wed Oct 5 14:10:51 2005 Return-Path: X-Original-To: Freebsd-questions@freebsd.org Delivered-To: Freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 943A216A41F for ; Wed, 5 Oct 2005 14:10:51 +0000 (GMT) (envelope-from infofarmer@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2EF9F43D45 for ; Wed, 5 Oct 2005 14:10:51 +0000 (GMT) (envelope-from infofarmer@gmail.com) Received: by zproxy.gmail.com with SMTP id z31so38378nzd for ; Wed, 05 Oct 2005 07:10:50 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=CjqxoOFtAo6yfeDiQ0bDjHmWZroZapHPoQEVo0aSR/8UH4305jnSC60ghLR09MsCtbmiXFNvTnNaUVjywxyo8L2Gm5Otdmb//wpPXb+hyQw0BhJUMnMLpXP3COw7U0AY4MGqwbNoI+iqDzqFNzvHFGy/DJ344ArpGBBvuSnpR8I= Received: by 10.37.2.66 with SMTP id e66mr510200nzi; Wed, 05 Oct 2005 07:10:50 -0700 (PDT) Received: by 10.37.20.34 with HTTP; Wed, 5 Oct 2005 07:10:50 -0700 (PDT) Message-ID: Date: Wed, 5 Oct 2005 18:10:50 +0400 From: "Andrew P." To: Foo Ji-Haw In-Reply-To: <01bf01c5c98b$df455ff0$c801a8c0@nexpc> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <01bf01c5c98b$df455ff0$c801a8c0@nexpc> Cc: Freebsd-questions@freebsd.org Subject: Re: ipfw: ALLOWing by mac address X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Andrew P." List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2005 14:10:51 -0000 On 10/5/05, Foo Ji-Haw wrote: > Hello all, > > I'd like your feedback on a problem I have with allowing access through t= he ipfw firewall via mac addresses. > > Andrew has a good point on mac address spoofing. I agree with him on the = security concern, but for the situation that I am setting up, that's ok. Bu= t I really need to open the firewall via mac address. > > Let me detail my setup: > dc0 is the interface to the Internet > vr0 is the interface to the managed network > > I tried to read up on ipfw rules on mac, and I got something like this: > allow ip from any to any MAC any 00:90:d1:00:80:00/33 > > It does not work of course, but ipfw accepted the command. Basically I ne= ed the client with the mac address to be able to go pass the firewall in to= tality. > > Can anyone enlighten me on the correct format? Thanks in advance. Thanks for the credit :-) see "man ipfw", particularly the PACKET FLOW section Try this: allow ip from any to any layer2 out MAC any 00:90:d1:00:80:00/33 allow ip from any to any layer2 in MAC 00:90:d1:00:80:00/33 any allow ip from any to any layer2 via deny ip from any to any layer2